The document discusses disaster data recovery methods for HDDs. It describes how physical damage from events like floods, earthquakes or head crashes can corrupt HDD components like the PCB, firmware or platters, preventing normal access to data storage areas. The document outlines challenges in recovering data from scratched or dusty platters due to their close proximity to read/write heads. It proposes research into precision surface cleaning and analysis techniques to improve data recovery rates from physically damaged HDDs.
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...CODE BLUE
The modern web-scale network is a pretty complicated place. Modern techniques in Systems Management have made it trivial to create, destroy and repurpose any number of instance types. These instances can span the range from bare metal machines sitting in a datacenter, to 3rd party virtual machines on demand, and now these new containers and microservices seem to be all the rage. Instances are cattle, they are no longer pets. All of this perpetual churn and flexibility is exactly what you want in a constantly changing, highly available, and efficient infrastructure. The ability to create or destroy nodes on demand, or continuously and automatically scale up, down, and re-deploy applications as part of a continuous integration pipeline, have become necessary and an integral part of daily operations. However these systems can generate terabytes of network logs a day. And if your job is detecting, correlating, and alerting on the correct anomaly in all that data, the analogy of the needle in the haystack really doesn’t do it justice, something closer would be akin to finding a needle in the windstorm. How do you begin to collect, store, analyze, and alert on this much data without costing the company a small fortune? What are some practical steps you can take to reduce your overall risk and begin to gain more insight, visibility, and confidence into what is actually taking place on your network? This talk aims to give the attendee a solid understanding of the problem space, as well as recommendations and practical advice from someone who built their own ‘big data’ network and security monitor. It really is easier than it sounds.
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
End-user’s requirements for secure IT products are continually increased in environment that are affected directly to human life and industry such as IoT, CPS. Because vendors and end-user sell or buy products based on trustworthy or objective security evaluation results, security evaluation roles are important. Security Evaluations are divided to two parts, one is evaluation on design level such as ISO/IEC 29128(Verification of Cryptographic Protocols) and another one is post-implementation level such as ISO/IEC 15408(Common Criteria). These security evaluation standards, both ISO/IEC 29128 and ISO/IEC 15408, advise to use formal verification and automated tools when high assurance level of target products is required.
For a long time, vulnerability detection using automated tools have been tried and studied by many security researchers and hackers. And recently, the study related to automated vulnerability detection are now more active than ever in hacking community with DARPA’s CGC(Cyber Grand Challenge). But, too many tools are developed continually and usually each tool has their own purpose to use, so it’s hard to achieve ultimate goal of security evaluation effectively and verify evaluation results.
Furthermore, there are no references for categorizing about automated tools on perspective of security evaluations. So, in this presentation we will list up, categorize and analyze all of automated tools for vulnerability detection and introduce our result such as pros and cons, purpose, effectiveness, etc.
-- InHyuk Seo
My name is Inhyuk Seo(Nick: inhack). I graduated B.S. in Computer Science and Engineering at Hanyang University(ERICA) in 2015. Now I’m a researcher and M.S. of SANE(Security Analaysis aNd Evaluation) Lab at Korea University. I’m interested in Programming Language, Software Testing, Machine Learning, Artificial Intelligence.
In 2012, I completed high-quality information security education course “the Best of the Best(BoB)” hosted by KITRI(Korea Information Technology Research Institute) and conducted “Exploit Decoder for Obfuscated Javascript” Project.
I participated in many projects related with vulnerability analysis. I conducted “Smart TV Vulnerability Analysis and Security Evaluation” and “Developing Mobile Security Solution(EAL4) for Military Environment ”. Also, I participated in vulnerability analysis project for IoT products of various domestic tele-communications.
-- Jisoo Park
Jisoo Park graduated with Dongguk University B.S in Computer science engineering. He participated in secure coding research project in Programming Language Lab and KISA(Korea Internet & Security Agency). He worked as a software QA tester at anti-virus company Ahnlab. He also completed high-quality information security education course “Best of the Best” hosted by KITRI(Korea Information Technology Research Institute) and conducted security consulting for Car sharing service company.
Now, Jisoo Park is a
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...CODE BLUE
The modern web-scale network is a pretty complicated place. Modern techniques in Systems Management have made it trivial to create, destroy and repurpose any number of instance types. These instances can span the range from bare metal machines sitting in a datacenter, to 3rd party virtual machines on demand, and now these new containers and microservices seem to be all the rage. Instances are cattle, they are no longer pets. All of this perpetual churn and flexibility is exactly what you want in a constantly changing, highly available, and efficient infrastructure. The ability to create or destroy nodes on demand, or continuously and automatically scale up, down, and re-deploy applications as part of a continuous integration pipeline, have become necessary and an integral part of daily operations. However these systems can generate terabytes of network logs a day. And if your job is detecting, correlating, and alerting on the correct anomaly in all that data, the analogy of the needle in the haystack really doesn’t do it justice, something closer would be akin to finding a needle in the windstorm. How do you begin to collect, store, analyze, and alert on this much data without costing the company a small fortune? What are some practical steps you can take to reduce your overall risk and begin to gain more insight, visibility, and confidence into what is actually taking place on your network? This talk aims to give the attendee a solid understanding of the problem space, as well as recommendations and practical advice from someone who built their own ‘big data’ network and security monitor. It really is easier than it sounds.
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
End-user’s requirements for secure IT products are continually increased in environment that are affected directly to human life and industry such as IoT, CPS. Because vendors and end-user sell or buy products based on trustworthy or objective security evaluation results, security evaluation roles are important. Security Evaluations are divided to two parts, one is evaluation on design level such as ISO/IEC 29128(Verification of Cryptographic Protocols) and another one is post-implementation level such as ISO/IEC 15408(Common Criteria). These security evaluation standards, both ISO/IEC 29128 and ISO/IEC 15408, advise to use formal verification and automated tools when high assurance level of target products is required.
For a long time, vulnerability detection using automated tools have been tried and studied by many security researchers and hackers. And recently, the study related to automated vulnerability detection are now more active than ever in hacking community with DARPA’s CGC(Cyber Grand Challenge). But, too many tools are developed continually and usually each tool has their own purpose to use, so it’s hard to achieve ultimate goal of security evaluation effectively and verify evaluation results.
Furthermore, there are no references for categorizing about automated tools on perspective of security evaluations. So, in this presentation we will list up, categorize and analyze all of automated tools for vulnerability detection and introduce our result such as pros and cons, purpose, effectiveness, etc.
-- InHyuk Seo
My name is Inhyuk Seo(Nick: inhack). I graduated B.S. in Computer Science and Engineering at Hanyang University(ERICA) in 2015. Now I’m a researcher and M.S. of SANE(Security Analaysis aNd Evaluation) Lab at Korea University. I’m interested in Programming Language, Software Testing, Machine Learning, Artificial Intelligence.
In 2012, I completed high-quality information security education course “the Best of the Best(BoB)” hosted by KITRI(Korea Information Technology Research Institute) and conducted “Exploit Decoder for Obfuscated Javascript” Project.
I participated in many projects related with vulnerability analysis. I conducted “Smart TV Vulnerability Analysis and Security Evaluation” and “Developing Mobile Security Solution(EAL4) for Military Environment ”. Also, I participated in vulnerability analysis project for IoT products of various domestic tele-communications.
-- Jisoo Park
Jisoo Park graduated with Dongguk University B.S in Computer science engineering. He participated in secure coding research project in Programming Language Lab and KISA(Korea Internet & Security Agency). He worked as a software QA tester at anti-virus company Ahnlab. He also completed high-quality information security education course “Best of the Best” hosted by KITRI(Korea Information Technology Research Institute) and conducted security consulting for Car sharing service company.
Now, Jisoo Park is a
[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE
Based on one decade of impactful security research and several years as a risk manager, Karsten Nohl reflects upon what he would have done differently in pushing a data security agenda.
Our community is convinced that stellar IT security is paramount for companies large and small: We need security for system availability, for brand reputation, to prevent fraud, and to keep data private. But is more security always better?
Poorly chosen protection measures can have large externalities on the productivity, innovation capacity, and even happiness of organizations. Can too much security be worse than too little security?
This talk investigates the trade-off between security and innovation along several examples of current security research. It finds that some hacking research is counter-productive in bringing the most security to most people, by spreading fear too widely.
---
Karsten Nohl
Karsten Nohl has spoken widely on security gaps since 2006. He and co-investigators have uncovered flaws in mobile communication, payment, and other widely-used infrastructures. In his work at an Asian 4G and digital services provider, and as Chief Scientist at Security Research Labs in Berlin, a risk management think tank specializing in emerging IT threats, Karsten challenges security assumptions in proprietary systems and is fascinated by the security-innovation trade-off. Hailing from the Rhineland, he studied electrical engineering in Heidelberg and earned a doctorate in 2008 from the University of Virginia.
Controlling USB Flash Drive Controllers: Expose of Hidden Featuresxabean
Video here, thanks to archive.org:
https://archive.org/details/ShmooCon2014_Controlling_USB_Flash_Drive_Controllers
With stories of "BadBIOS" infecting PCs simply by connecting a malicious USB flash drive to a PC, it's time we learned about flash drives and their controllers. Consumer USB flash drives are cheap, growing in capacity and shrinking in physical size. There are only around 15 prominent controller chip manufacturers whom you have never heard of, but OEM for all the popular and respected "name brands" on the market. These flash controllers have capabilities that aren't mentioned on product packaging, and can be enabled with programming you will learn during this presentation. These flash controllers can be *reprogrammed entirely* via software to do whatever you want.
Turn an old flash drive into an emulated CDROM or a CDROM + flash drive. Update the controller's firmware, disassemble it, etc. This talk will touch on the various controller manufacturers, features, and show you how to leverage them for yourself. Why spend $100 on an old SanDisk[tm] U3 Cruiser when you can spend $4 for the same features?
Richard Harman is an incident responder at SRA International's internal Security Operations Center, where he slings Perl code supporting incident response and performs analysis & reverse engineering of targeted attack malware samples. He writes and releases scripts in support of his work on github at http://github.com/warewolf. Outside of his day job, he can be found hacking on projects at the Reston, VA hackerspace Nova Labs http://www.nova-labs.org.
New immune system of information security from CHINA by WooYun - CODE BLUE 2015CODE BLUE
This talk is about the introduction of Wooyun.
WooYun is a platform where security researchers report vulnerabilities and vendors give feedbacks. While WooYun follows vulnerabilities, it also provides researchers a platform for public interests, study, communication, and research.I will introduce how WooYun works and why we start this project in my presentation, also what WooYun changes in the security circle in China, and why, when, where it built, how it developed and the difficulties when developing.
data recovery training course online offline INTERSOFT Abdullah Khan
data recovery training course with logical data recovery , physical data recovery training, hard disk circuit repairing advance course full day training for 3 days
[CB16] EXOTIC DATA RECOVERY & PARADAIS by Dai ShimogaitoCODE BLUE
Hard Disk Drives (HDD) have a hidden space for storing data. If malicious software is stored in this hidden area, it could lead to attacking computers even if they are air-gapped.
By abusing surplus space of HDD, such cyber attack against off-line industrial control systems could become possible.
Moreover, the software or any data in this hidden space can survive against formatting, OS reinstallation, malware destruction software and any conventional cybersecurity framework.
Let us call it "PARADAIS"
While the PARADAIS stays unactivated, LBAs are not mapped to the hidden data area. Therefore, even if the HDD is wiped several times such as 3-pass, 7-pass or 35-pass, it remains there as it is.
There has been no way to detect or erase the unidentified software at PARADAIS in advance when the HDD had been modified prior to your purchase or its installation. However, new solutions are being discovered by my ongoing research.
Who can predict that Windows OS may boot after the HDD is wiped by Enhanced Secure Erase ? It would be you at CODEBLUE2016.
The 2nd part of my presentation would be on DATA RECOVERY from HDD the platter surface of which has been damaged because of head crash, natural disaster or intentional destruction at crime scenes. Survey results of 12 cases show how effective the disk surface cleaning by DDRH was.
--- Dai Shimogaito
He has been researching and developing state-of-the-art data recovery technology for malfunctioning HDDs which had suffered platter damage from head crash, natural disaster and crime.
Dai, as a digital forensic investigator, has also examined digital evidences of murder, abandonment of corpse, internal corporate fraud, and labor management problems and been cooperating with law enforcement and lawyers.
Moreover, as a cyber security researcher, he has been a speaker at CODEBLUE, Matcha139 Workshop, seminars for law enforcement and cyber security companies and HTCIA International Conference & Training Expo ( Aug 2016 ).
[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE
Based on one decade of impactful security research and several years as a risk manager, Karsten Nohl reflects upon what he would have done differently in pushing a data security agenda.
Our community is convinced that stellar IT security is paramount for companies large and small: We need security for system availability, for brand reputation, to prevent fraud, and to keep data private. But is more security always better?
Poorly chosen protection measures can have large externalities on the productivity, innovation capacity, and even happiness of organizations. Can too much security be worse than too little security?
This talk investigates the trade-off between security and innovation along several examples of current security research. It finds that some hacking research is counter-productive in bringing the most security to most people, by spreading fear too widely.
---
Karsten Nohl
Karsten Nohl has spoken widely on security gaps since 2006. He and co-investigators have uncovered flaws in mobile communication, payment, and other widely-used infrastructures. In his work at an Asian 4G and digital services provider, and as Chief Scientist at Security Research Labs in Berlin, a risk management think tank specializing in emerging IT threats, Karsten challenges security assumptions in proprietary systems and is fascinated by the security-innovation trade-off. Hailing from the Rhineland, he studied electrical engineering in Heidelberg and earned a doctorate in 2008 from the University of Virginia.
Controlling USB Flash Drive Controllers: Expose of Hidden Featuresxabean
Video here, thanks to archive.org:
https://archive.org/details/ShmooCon2014_Controlling_USB_Flash_Drive_Controllers
With stories of "BadBIOS" infecting PCs simply by connecting a malicious USB flash drive to a PC, it's time we learned about flash drives and their controllers. Consumer USB flash drives are cheap, growing in capacity and shrinking in physical size. There are only around 15 prominent controller chip manufacturers whom you have never heard of, but OEM for all the popular and respected "name brands" on the market. These flash controllers have capabilities that aren't mentioned on product packaging, and can be enabled with programming you will learn during this presentation. These flash controllers can be *reprogrammed entirely* via software to do whatever you want.
Turn an old flash drive into an emulated CDROM or a CDROM + flash drive. Update the controller's firmware, disassemble it, etc. This talk will touch on the various controller manufacturers, features, and show you how to leverage them for yourself. Why spend $100 on an old SanDisk[tm] U3 Cruiser when you can spend $4 for the same features?
Richard Harman is an incident responder at SRA International's internal Security Operations Center, where he slings Perl code supporting incident response and performs analysis & reverse engineering of targeted attack malware samples. He writes and releases scripts in support of his work on github at http://github.com/warewolf. Outside of his day job, he can be found hacking on projects at the Reston, VA hackerspace Nova Labs http://www.nova-labs.org.
New immune system of information security from CHINA by WooYun - CODE BLUE 2015CODE BLUE
This talk is about the introduction of Wooyun.
WooYun is a platform where security researchers report vulnerabilities and vendors give feedbacks. While WooYun follows vulnerabilities, it also provides researchers a platform for public interests, study, communication, and research.I will introduce how WooYun works and why we start this project in my presentation, also what WooYun changes in the security circle in China, and why, when, where it built, how it developed and the difficulties when developing.
data recovery training course online offline INTERSOFT Abdullah Khan
data recovery training course with logical data recovery , physical data recovery training, hard disk circuit repairing advance course full day training for 3 days
[CB16] EXOTIC DATA RECOVERY & PARADAIS by Dai ShimogaitoCODE BLUE
Hard Disk Drives (HDD) have a hidden space for storing data. If malicious software is stored in this hidden area, it could lead to attacking computers even if they are air-gapped.
By abusing surplus space of HDD, such cyber attack against off-line industrial control systems could become possible.
Moreover, the software or any data in this hidden space can survive against formatting, OS reinstallation, malware destruction software and any conventional cybersecurity framework.
Let us call it "PARADAIS"
While the PARADAIS stays unactivated, LBAs are not mapped to the hidden data area. Therefore, even if the HDD is wiped several times such as 3-pass, 7-pass or 35-pass, it remains there as it is.
There has been no way to detect or erase the unidentified software at PARADAIS in advance when the HDD had been modified prior to your purchase or its installation. However, new solutions are being discovered by my ongoing research.
Who can predict that Windows OS may boot after the HDD is wiped by Enhanced Secure Erase ? It would be you at CODEBLUE2016.
The 2nd part of my presentation would be on DATA RECOVERY from HDD the platter surface of which has been damaged because of head crash, natural disaster or intentional destruction at crime scenes. Survey results of 12 cases show how effective the disk surface cleaning by DDRH was.
--- Dai Shimogaito
He has been researching and developing state-of-the-art data recovery technology for malfunctioning HDDs which had suffered platter damage from head crash, natural disaster and crime.
Dai, as a digital forensic investigator, has also examined digital evidences of murder, abandonment of corpse, internal corporate fraud, and labor management problems and been cooperating with law enforcement and lawyers.
Moreover, as a cyber security researcher, he has been a speaker at CODEBLUE, Matcha139 Workshop, seminars for law enforcement and cyber security companies and HTCIA International Conference & Training Expo ( Aug 2016 ).
Watch the full webinar here: http://bit.ly/1TUuUCK
When considering flash storage, there are many misconceptions and outright myths. Especially when equating consumer-grade flash (USB sticks) to enterprise-grade SSDs. In this webinar SanDisk Chief Architect, Adam Roberts, will discuss 5 myths of flash storage and highlight what you need to look out for when choosing a storage device to accelerate your data center storage. This webinar will cover:
1.Data Protection
2.Power Fail Protection
3.Temperature Throttling/Overheating
4.QoS for Performance
5.SSD Endurance
Stay tuned for future webinars which will look at the benefits of flash beyond performance…busting a few more myths on flash.
One of the most important things you can do to improve the performance of your flash/SSDs with Aerospike is to properly prepare them. This Presentation goes through how to select, test, and prepare the drives so that you will get the best performance and lifetime out of them.
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
When stars align: studies in data quality, knowledge graphs, and machine lear...
Preventing hard disk firmware manipulation attack and disaster recovery by Dai Shimogaito
1. Disaster Data Recovery method for HDD
by Dai Shimogaito
January, 17th, 2014
at CODEBLUE in Tokyo
2. What is Disaster Recovery ?
1.To Recover Computer System
which had suffered from natural disaster, like
tsunami, river flood, storm, and earthquake
Platter Surface Damage
2.To Protect Computer System and get Ready
for a large scale crash.
AFTER
Disaster
The most difficult
problem for data
recovery
BEFORE
Disaster
Physical Damage caused by Software
HDD Customization for Platter Damage
3. Three Failures Lead to Data Loss
• Logical Failure
• System failure
• Data corruption
• Deletion of data.
• Electronic Failure
• Printed Circuit Board (PCB)
• On or more of the PCB components
• ROM or the System Area data is damaged.
• Physical Failure
• Sticktion
• Spindle bearing is frozen
• Head crash (dropped hard drive).
4. Features of HDD which suffered from natural disaster
1. Chips on PCB are gone
2. HDD falls down and gets stong shock
3. Dirt comes inside HDD
4. Water comes inside HDD
Severe Damage !
Normal Data Recovery Process is useless, because the damage level is extremely high
6. What is Data Recovery ?
Trying to image data from non-accessible HDD sector by sector.
アクセス不能なHDDから、できるだけ多くのデータをクローンコピー取得を試
みる
Copy
Broken
No access to data
(故障でアクセス不能)
Good
Full Access to data
(正常動作するHDD)
7. What is Data Recovery ?
Basically, parts replacement is the way for temporary repair.
基本的には、故障した部品を交換して、一時的にHDDを復活させます。
Fire Accident
8. What is Data Recovery ?
100% clone is always preferrable, but the result depends on the type of damage to HDD
and the data recovery process.
できれば100%クローンコピーの作成が望ましいのですが、故障の種類や損傷の
強弱、そして復旧プロセスの違いによっては、回収率が低くなることがあります
。
←
Low
High →
9. Replaceability with Donor Part (ドナー部品との置換性)
HSA YES [ Head Stack Assembly ]
Head Map, Capacity, Architecture Family, Microjog
SPM YES [ Spindle Motor ]
Seizure Problem, Lubricating oil
PCB YES
[ Printed Circuit Board ]
Serial ROM, NV-RAM, Fuse, Resister, Diode,
Capacitor, Coil, Microchip / Repairment is also useful
FW YES & NO
[ Firmware ]
Unique module, Non-unique module, Regeneratable
module, Essential Module
Disk NO [ Platter ]
Bad Sector, Scratch, particules on surface
13. Replaceability with Donor Part (ドナー部品との置換性)
HSA YES
SPM YES
PCB YES
FW YES & NO
Disk NO
SA
Service Area
UA
User Area
SA
SA
SA
SA
SA SA SA
SA
SA
SA
SA
SA
SA
SA
SA SA
SA
SA
SA
Firmware = Service Modules
SA Modules are located on platters
14. Replaceability with Donor Part (ドナー部品との置換性)
HSA YES
SPM YES
PCB YES
FW YES & NO
Disk NO
Data is recorded into platters.
Replacement means nothing.
15. Replaceability with Donor Part
HSA YES [ Head Stack Assembly ]
Head Map, Capacity, Architecture Family, Microjog
SPM YES [ Spindle Motor ]
If unique parts are corrupt, Seizure Problem, there Lubricating is no way oil
to recover data
PCB YES
[ Printed Circuit Board ]
Serial ROM, NV-RAM, Fuse, Resister, Diode,
Capacitor, Coil, Microchip / Repairment is also useful
FW YES & NO
[ Firmware ]
Unique module, Non-unique module, Regeneratable
module, Essential Module
Disk NO [ Platter ]
Bad Sector, Scratch, particules on surface
21. For a long time, DR from scratched disk has been impossible
If the surface is partially damaged, there should be
recoverable data in the areas which were not
damaged.
部分的にしかキズが付いていないなら、
それ以外の部分にはデータは残っている
はず、、、、、、
22. Why is it so difficult to read damaged surface ?
Let’s take an extreme close look at
Disk & Head !
23. Disk Surface & Slider
Flying Height
1-3 nm
Lubricant Layer 1nm
潤滑層Diamond Like Carbon Coating Layer コーティング
層
Magnetic Layer
磁性層
3nm
Disk Rotation Direction →
1 ~3nm
Slider
スライダ
R/W Head
24. The gap between Head and Disk is very small
Slider
Flying
Height
1-3nm
PPaarrttiiccllee SSiizzee ooff
CCiiggaarreettttee SSmmookkee
110000--11000000nnmm
25. How head crash damages the surface
Slider R/W
Lubricant Layer
DLC Layer
Magnetic Layer
Head
Slider R/W
Lubricant Layer
DLC Layer
Magnetic Layer
Head
Slider R/W
Lubricant Layer
DLC Layer
Magnetic Layer
Head
26. Cause of malfunction of HSA when reading damaged surface
1. Scratch is not the main cause of
the bad operation of Head Stack
Assembly
2. Particles on the surface stick to
sliders.
3. Slider’s flying becomes
unstable because of the particles
on the surface of the disk and
the sliders.
So, Let’s clean the surface !
43. Translator
Converter function between LBA and PBA
If the translator is broken, no data is accessible. One of the most important module.
論理アドレスと物理アドレスの変換テーブル
このデータが読めなければ、プラッタ上の全ての磁気データを読み出すことができたとしても、ファイル
やフォルダは一切復旧できません。SAモジュールの中でもトップクラスの重要度です。
PBA
物理アドレス
LBA
論理アドレス
0001
0687
1968
3786
9821
0001
0508
3544
9871
0051
Access Request
From Host
ホストからの
Access to the physically アクセス要求
Assigned position
プラッタ上の指定
エリアにアクセス
44. SA Modules are loaded into PCB
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
Complete
(^o^)
45. When SA Modules loading completes fine
PowerON Ready
Wow , I did it !
I have access to all
data !
やった!
LBA全域アクセス
できるぞー!
LBA Zone
46. Damage of SA Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
Error!
Can’t Read
Or
Module is
corrupted
ABORT
47. Damage of SA Module : No LBA Access
PowerON Ready
I can’t access LBA zone,
because there was a SA module
error.
The data should be in LBA Zone,
but I can not access LBA 0
SAモジュールに異常があった
から、LBA領域にアクセスで
きない。HDDにはデータある
はずなのにな。
LBA Zone
49. If the SA module error was caused intentionally by ,,,,,
もし、誰かがわざとSAモジュールに異常を生じさせたら、、、
50. Intentional Damage to SA module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
51. Intentional Damage to SA module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
52. Damage of SA Module : No LBA Access
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
Error!
Can’t Read
Or
Module is
corrupted
53. Intentional Damage to SA module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
Error!
Can’t Read
Or
Module is
corrupted
54. Damage of SA Module : No LBA Access
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
SA
Module
Error!
Can’t Read
Or
Module is
corrupted
ABORT
57. Main Concept of HiDR ( High Integrity Data Recovery )
SAモジュールは百種以上!
このサンプル事例では、
WD10EADS-22M2B0 を使用。
SAモジュール数は全部で397 種
58. Main Concept of HiDR ( High Integrity Data Recovery )
このサンプル事例では、
WD10EADS-22M2B0 を使用。
SAモジュール数は全部で397 種
必須かつユニークなのは7 種
7 ÷ 397 ≒ 1.76%
59. Main Concept of HiDR ( High Integrity Data Recovery )
Only 1.76%
60. Hot Swap Method : ホットスワップ手法
通電した状態のまま、PatientにPCBを付け替えます。
通電したまま
61. Main Concept of HiDR ( High Integrity Data Recovery )
未開封、ヘッド交換なしでID認
識しないHDDでもデータが読め
る
必要最低限のモジュールアクセス
だけで済む
障害部位を確実かつ詳細に把握し
、尚且つデバイスの特徴を予め研
究調査しておくことで、より安全
かつ多くのデータを回収すること
ができる。
クリーンエア環境下とはいえ、開
封時には異物が混入することは避
けられない。クリーンルームが絶
対にキレイとは限らない。
Non-Destructive Method even for
HDD which doesn’t give its device ID.
The least access to the magnetic disk
for its booting is enough for data
recovery.
It is good to know the details of SA
modules because the integrity of data
recovery process becomes very high.
Do not rely too much upon clean
rooms because inside of the clean room
is not always clean.
62. Security or Utility
Hacked Cracked
Good for
Data leakage preventing
VS Bad for
Future data use
63. HDD customization against Future SA Damage
Head Platter
Head 5
Head 4
Head 3
Head 2
Head 1
Head 0
Head Map
64. HDD customization against Future SA Damage
Head 5
Head 4
Head 3
Head 2
Head 1
Head 0
System Head
Head Platter
65. HDD customization against Future SA Damage
Head 5
Head 4
Head 3
Head 2
Head 1
Head 0
System Disk
Head Platter
66. HDD customization against Future SA Damage
SA exists only on the system disk, h0 and h1
SA Region for h2,h3,h4,h5 are empty
Head Platter
Head 5
Head 4
Head 3
Head 2
Head 1
Head 0
67. HDD customization against Future SA Damage
Utilize the empty zone for SA backup !
Head Platter
Head 5
Head 4
Head 3
Head 2
Head 1
Head 0
68. http://www.disaster-data-recovery.com/
Initial Response Guideline
For Disaster Effected HDD
1. Do NOT Power ON !
電気を入れない!
2.Do NOT Dry before cleaning !
洗浄前に乾燥させない!
3.Sea Water should be removed ASAP !
海水で腐食は待ったなし!
ガイドラインを多言語化(英語・日本語・ロシア語・中国
語)